As security gets more important, and auditors get stricter about encrypted data we all want to make sure our environments have our data protected as much as possible.
Informix HQ is a great tool to help you manage your Informix environment, it doesn’t take too long to set up and can be incredibly valuable to your organization.
Once you have it set up you may notice that the communication between the HQ server and the agent are unencrypted, so lets change that.
In this example we will have the HQ system set up using the default: monitoring-server.properties and monitoring-agent.properties that can be found from the example files in $INFORMIXDIR/hq
The HQ system is set up with 2 different agents deployed to 2 Informix servers. We are going to reconfigure it to work exclusively over ssl. At this point stop the agents and the server.
Our first step is to use the java keystore tool ‘keytool’ to create a new keystore for us to use. Make sure to save the password you choose. In $INFORMIXDIR/hq run:
keytool -genkey -keyalg RSA -alias selfsigned -keystore hq_keystore.jksWhen it prompts for “What is your first and last name?” make sure to put in the hostname of the HQ server. This needs to be the hostname that both the Informix server knows as well as the hostname you will use to connect to from browsers.
Next we need to modify monitoring-server.property file to enable SSL on the webserver, change:
httpsPort=8443 # This can be any secure port you want to use
redirectHTTPtoHTTPS=true
ssl.keystore.file=/opt/informix/hq/hq_keystore.jks
ssl.keystore.password=<password for the keystore above>
Note that some operating systems will not let non-root users start services on ports < 1024.
The log file should contain:
2024-11-29 15:45:25 [main] INFO c.i.h.s.JettyServer - Serving UI from JAR...
2024-11-29 15:45:26 [main] INFO c.i.h.s.JettyServer - Configuring server for HTTP on port 8080
2024-11-29 15:45:26 [main] INFO c.i.h.s.JettyServer - Configuring server for HTTPS on port 8443At this point if you go back to the url you will see it redirect you to the new https port (8443) and you will get a browser warning about a self signed certificate. This is fine to approve.
Next we need to get our agent to know about the SSL listener. First we need to pull the server certificate from the server keystore:
keytool -export -alias selfsigned -file server_cert.cer -keystore hq_keystore.jksNext we need to create a new agent keystore, this will import the certificate from above and create a new keystore, give it a unique password
keytool -import -v -trustcacerts -alias selfsigned -file server_cert.cer -keystore agent_certs.jksIn the monitoring-agent.properties file change:
server.port=8443
ssl.enable=true
ssl.keystore.file=/opt/informix/hq/agent_certs.jks
ssl.keystore.password=<password above>
Bring up the agent as normal. You should see it connect and behave as normal, however now it will be communicating over encrypted channels. You can do the same keytool agent creation on any remote systems, or just copy the jks file over to them.
Tom Beebe (tom@xdbsystems.com)
xDB Systems Inc